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@ System and method for securing postage printing transactions. 

@ A postage meter includes printing (12) and account- 
*ing stations (14)v respectively interconnected through an 
insecure communications link (16). Each time the meter 
is tripped, anumber generator (20) at the printing station 
(12) is activated to generate a number signal which is en- 
crypted to provide an unpredictable result. The number 
signal is also transmitted to the accounting station (14). 
At the accounting station (14) the postage to be printed 
is accounted for and the number signal is encrypted (34) 
to provide a reply signal. The reply signal is transmitted to 
the printing station (12), where a comparator (42) com- 
pares it with the encryption result generated at the print- 
ing station (12). An equality of the encryption result and 
the reply signal indicates that the postage to be printed has 
l>een accounted for. The printer ist then activated. 



I 



: ■certwtii'l 

1 i"^*^ r 



o 
o 

a 

lU 



ACTORUM AG 



TITLE ^. :CZ-IED 

1 



0018081 



10 



SYSTEM FOR SECURING POSTAGE PRINTING TRANSACTIONS 

This invention relates generally to a postage meter system and 
more particularly to providing a secure meter system wherein printing and 
accounting stations are interconnected through an insecure link. In this 
specification the word 'system, has the connotation of apparatus rather than 
a method. 

Security factors have been of paramount significance in the 
design and construction of postage metering systems. Postal authorities 
have required adequate security devices to insure that postage printed is 
accounted for. With prior mechanical and electromechanical postage 
metering devices, security has been achieved through the employment of a 
single secure housing containing both the printing device and accounting 
registers. The housing generally included means for the ready detection of 
any unauthorised attempts to alter the accounting registers and/or attempts 
at the printing of postage without the recording of same in the accounting 
15 • registers. ' - 

In United States Patent Specification No. 3,978,*57 issued 
August 31, 1976, a micro-computerized electronic postage meter system was 
disclosed. Implementation of this system ^wiU greatly enhance postage 
accounting capabilities and facilitate new meter designs, as well as fully 
10 automated mail handling systems, wherein articles to be mailed can be 
sealed, weighed and the postage automatically applied thereto. 

In order to preserve a high level of system integrity, security 
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requirements dictated constraints upon system design. For example, in 
large console mailing systems optimum design considerations might suggest 
the placement of postage accounting processing means remote from the 
postage printing means. The servicing of such systems was difficult and 
cumbersome because security seals inhibited the servicing of components 
which were otherwise accessible. 

Furthermore, security considerations placed constraints upon 
utilising removable accounting processors which could be carried to the 
postal authorities for resetting. Naturally, large automated mailing con- 
soles could not be physically removed and brought to a post office for 
resetting the accounting means. 

Among the security problems inherent with the employment of 
separable printing and accounting stations was the possibility that one could 
gain access to an insecure communications link between separable elements 
and generate signals which would permit the printing of postage without the 
accounting for same at the accounting station. 

According to the present invention, we provide a system for 
securing postage printing transactions between a postage printing station 
having means for dispensing postage and an accounting station having 
processing means for registering the value of postage dispensed, the printing 
station and the accounting station being interconnected for data trans- 
mission through an insecure communications link, the system comprising 
means at one station for sequentially generating a number signal upon each 
printing transaction, the corfimunications means transmitting the number 
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signal from the one station to the other station, encryption means at each 
station, each encryption means receiving the number signal and in response 
thereto providing an encrypted signal, the means sequentially generating the 
number signal including means providing unpredictability in each sequen- 
tially encrypted signal pair, the printing station including comparison means, 
the communications link transmitting one of the encrypted signals to the 
comparison means, the comparison means comparing the one encrypted 
signal with the other encrypted signal and in response to the equality 
thereof enabling the postage dispensing means, whereby postage is imprinted 
only after the authenticity of an unpredictable encrypted signal has been 
verified at the printing station- 

The invention also provides a method by which such a system 
may be operated. 

In this specification reference is made to postage meters and 
mailing systems. It will be appreciated that the invention is applicable to 
any system where an article is franked for value or value is otherwise 
dispensed in connection with its transport, and the claims herein are to be 
construed accordingly. 

The present specification particularly discloses a postage meter 
having printing and accounting stations interconnected with an insecure 
communications link. In order to print desired postage, the printing station 
is activated and a number signal is generated. This number signal is 
encrypted at the printing station through the use of a secure key. The 
generated number signal is additionally transmitted to the accounting 
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Station wherein it is encrypted using a congruent key to provide a reply 
signal. The reply signal at the accounting station is transmitted to the 
printing station, and a comparison is made between the received reply signal 
cind the encryption result generated at the printing station; upon detection 
5 of a match, the printer is activated. 
^ The number generator at the printing station may comprise a 

random number generator such as a free running counter read at random or 
a consecutive operation counter or any other device capable of generating a 
nonrecurring or unpredictable number. Interception of the insecure trans- 
10 mission link and recording of the transmitted random number and/or 
encryption result will not provide information sufficient to anticipate a 
subsequent encryption result transmitted from the accounting station. 

The invention will now be particularly described with reference 
to the accompanying drawings, in which:- 
15 Fig» 1 is a schematized block diagram of an exemplary postage 

meter constructed in accordance with and embodying a first example of the 
invention and illustrating separate printing and accounting stations inter- 
connected by an insecure communications link; 

Fig. 2 is a typical flow diagram illustrating a routine for 
20 establishing a postage printing transaction at a printing station only upon an 
appropriate accounting for such transaction at the accounting station; 

Fig. 3 is a schematized diagram illustrating a typical random 
number generator which may be employed for providing a number signal at 
the printing station; and 
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Fig. * is a schematized block diagram of an alternate embodi- 
ment of the invention wherein a microprocessor controller is utilised for 
number generation, encryption and comparison at the printing station and 
the accounting processor is utilised for generating the encryption result at 
the accounting station. 

In the drawings, the reference numeral 10 denotes generally a 
postage metering device constructed in accordance with and embodying the 
present invention. The postage metering device 10 may comprise an 
electronic postage meter system such as that disclosed in United States 
Patent I^o. 3,978,*57 or a mechanical or electromechanical postage meter 
printing mechanism such as that employed in conventional postage meters 
used in conjunction with a microprocessor accounting system. 

The postage metering device 10 includes a printing station 12 and 
an accounting station 1*. An insecure communications link 16 interconnects 
the printing station 12 and the accounting station W. The communications 
link 16 may comprise cables interconnecting the printing and accounting 
stations within a mailing system console, or a plug and socket connector 
whereby a removable accounting station '14 is connected to the printing 
station 12. Optionally, the communications link 16 may comprise telephone 
lines whereby a remotely located accounting station 14 controls the opera- 
tion of the printing station 12 and permits the dispensing of postage only 
after an appropriate accounting for such postage has been entered in a 
memory. 

. The printing station 12 includes a printer trip sensor 18 which 



0018081 



may compu-ise, for example, a trip sensor similar to that employed in typical 
known postage/mailing machines. Upon actuation of the trip sensor 18, a 
signal is provided at a number generator 20. The number generator 20 
generates a digital NUMBER SIGNAL signal comprising a plurality of bits, 
which NUMBER SIGNAL is subject to encryption at the printing station 12 
using a secure encryption key. 

In addition, the NUMBER SIGNAL is transmitted at a trans- 
mitter 28 to the accounting station 14 through the insecure link 16. The 
transmitter 28 may comprise a universal asynchronous receiver and trans- 
mitter such as an American Microsystems S 1757 or a Texas Instruments 
TMS 6010 data interface. If the communications link 16 comprises telephone 
lines, appropriate tone encoding and decoding modems will be employed. 

The NUMBER SIGNAL is' received at a receiver 30 of the 
accounting station. The receiver 30 may comprise a compatible universal 
asynchronous receiver and transmitter. Upon receipt of the NUMBER 
SIGNAL, an accounting processor 32, e.g. an Intel 8048 microprocessor, 
makes appropriate entries in its memory to charge the user's account for the 
postage to be dispensed. 

In addition, the NUMBER SIGNAL is transmitted to an encryptor 
34 at the accounting station. The encryptor may comprise any readily 
available encryption device which may, for example, encrypt in accordance 
with the United States of America NBS Data Encryption Standard pursuant 
to a preset secure key. An example of a typical encryption device suitable 
for such purpose is the Intel 8294 encryptor. The encryptor 34 provides an 
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encryption result which comprises a REPLY SIGNAL for the printing station 
12. The REPLY SIGNAL is transmitted at a transmitter 36 comprising a 
universal asynchronous receiver and transmitter similar to the receivers and 
transmitters previously described. < 
5 At the printing station 12, the REPLY SIGNAL is accepted at a 

receiver 38 comprising a further asynchronous receiver and transmitter. It 
should be appreciated that if, for example, a Texas Instruments TMS 6010 
duplex data interface is employed, the transmitter 28 and receiver 38 may 
comprise segments of a single chip. Similarly, the receiver 30 and 
10 transmitter 36 of the accounting station may comprise segments of a single 
chip. 

The receiver 38 groups the first eight bits of the REPLY SIGNAL 

and transmits a DATA READY signal to an encryptor 40 at the printing 

' ■ . ' ' ' '' , . ' 

station. 

15 At this, time, the encryptor W has received the NUMBER 

SIGNAL from the number generator 20 and has encrypted said signal using 
the same secure key as used at the accounting station encryptor 3*. 

The DATA READY signal appearing at the encryptor '^O will 
cause the first eight bits of the encrypted signal to be transmitted from the 

20 encryptor 40 to a comparator 42. The comparator 42 may comprise a 
conventional comparator such as a Texas Instruments 7485 or a Signetics 
9324, for example, which chips may be stacked as necessary. 

At the comparator 42 the REPLY SIGNAL is compared with the 
signal generated at the encryptor 40; and if a match is indicated, 
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subsequent bits of the REPLY SIGNAL are compared until the entire REPLY 
SIGNAL has been matched, after which a postage printing mechanism Uit is 
actuated. 

Upon detection of a mismatch at the comparator ^^2, the printer 
5 is locked. It should be appreciated that for security purposes the REPLY 

3 . ^^^'^^^ t'^e. encryption result at the comparator should comprise 

more than eight bits. In lieu of sequentially loading the comparator eight 
bits at a time, the comparator may comprise a plurality of stacked 

comparator chips and, if necessary, suitable storage registers for parallel 
10 loading and comparisbn of up to, for example, sixty-four bit signals. . 

reference now to Fig. 2 wherein various steps of the 
: . . . accounting verification routine are depicted, the number generator 20 

generates a digital NUMBER SIGNAL at the printing station 12, and this 
• , signal is transmitted over insecure transmission means 16 to the accounting 

• -^y ' ': ' s^atio" 1* which may comprise a processor.! At the accoiinting station, the 
' ' : : NUMBER SIGNAL is received and an accounting entry is performed with 

• C ; . '■esP^t to the value to be dispensed at the printing station 12. In addition, 

' NUMBER SIGNAL received is used for the generation of the REPLY 

- SIGNAL at ah encryptor utilising a secure encryption key. The REPLY 
. 20 SIGNAL is then transmitted over the insecure link 16 to the point of origin. 
' ■ - ■■ ™^ REPLY SIGNAL is compared with an encrypted signal 

generated at the printing station utilising the identical NUMBER SIGNAL 
and the same encryption key. Upon recognition of an equality between the 
. . encryption result generated at the printing station and the REPLY SIGNAL 
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received at the printing station, a value dispensing operation, i.e. the 
printing of postage, is performed. 

In order to preserve security it is essential that the REPLY 
SIGNAL which authorises the dispensing of value at the printing station be 
unpredictable. Assuming that both the printing station 12 and the account- 
ing station 14 are secure, e.g. contained within tamper-proof housings, the 
encryption keys will not be ascertainable; therefore, in order to assure 
unpredictabiUty of REPLY SIGNALS, it is necessary that the REPLY 
SIGNAL does not repeat itself with any degree of predictability. 

Because the same NUMBER SIGNAL will provide an identical 
REPLY SIGNAL from the accounting means, the number generator 20 is 
required to generate sequential number signals which are either unique or 
unpredictable. An example of a suitable number generator 20 for the 
generation of unpredictable number signals Is illustrated in Fig. 3 wherein a 
typical free-running counter is shown. 

The generator 20 comprises an oscillator 22, the output of which 
is fed to a dual four bit asynchronous binary counter 2*. In order to obtain a 
number signal of sufficient length, additional counters such as a counter 26 
may be placed In series. As shown in Fig. 3, the two counters 2*, 26 provide 
sixteen bits which will generate 65,536 different numbers; and if the 
oscillator 22 oscillates at 25 MHz, a given number will repeat every 2.62 
milliseconds. It should be appreciated that obtaining a reading from the 
counter output upon every actuation of the trip sensor 18 wiU result in the 
production of a random number. 
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In the alternative, various other devices such as a pseudorandom 
number generator may be used to generate the NUMBER SIGNAL. A further 
alternative for number generation is a consecutive number counter which 
totals the number of times the trip sensor 18 has been actuated or a register 
at the printing station which totals the monetary amounts printed. The 
readings from such registers, although predictable, will not be duplicated 
and will generate different REPLY SIGNALS which, absent knowledge of the 
encryption key, will be unpredictable. Accordingly, any system for the 
sequential generation of NUMBER SIGNALS which result in an unpredictable 
encryption result may also be used. 

, It should be appreciated that the system for securing postage 

printing transactions heretofore described has been shown in an exemplary 
manner illustrating a isimple postage printing transaction wherein the 
printing station dispenses the same monetary value of postage after being 
tripped, each time. In the event that variable amounts of postage are to be 
printed, i.e. a multidenomination printer is to be employed, the amount of 
postage set at the printing unit upon each trip may be encoded as a digital 
signal and sent as part of the NUMBER SIGNAL to the accounting station 1*. 
In order to authorise the printing of postage, both the generated number and 
the postage value portions of the NUMBER SIGNAL may be encrypted to 
provide a single REPLY SIGNAL. ' 

At the printing station both the generated number and the 
postage value signal are encrypted at the encryptor W to provide an 
encryption result which is transmitted to the comparator to be verified 
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against the REPLY SIGNAL. 

Verification of an equality between the encryption result and the 
REPLY SIGNAL ensures that the monetary value to be printed has been 
accounted for, and upon such verification the printing mechanism 44 is 
actuated. 

In Fig. 4 an alternative embodiment of the invention is illustra- 
ted wherein like numerals denote like components of the embodiment 
heretofore described, however bearing the suffix 'a'. In this embodiment 
microprocessors are programmed for the implementation of various routines 
in lieu of the logic components heretofore described. 

A postage metering device 10a includes a printing station 12a and 
an accounting station 14a interconnected by an insecure communications link 
16a. Upon actuation of a trip sensor 18a, a signal is transmitted to a 
controller 50a which may comprise a microprocessor similar to the account- 
ing processor 32 heretofore described and which is suitably programmed for 
the generation of a NUMBER SIGNAL. The NUMBER SIGNAL fulfills the 
criterion heretofore discussed such that upon encryption with a fixed 
encryption, an unpredictable encryption result will be provided. 

At the printing station 12a a transmitter 28a transmits the 
number signal to the accounting station 14a through the insecure communi- 
cations link 16a. 

At the accounting station a receiver 30a is provided to group the 
bits of the NUMBER SIGNAL in parallel format and transmit the NUMBER 
SIGNAL to an accounting processor 32a similar to the processor 32 
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heretofore described; however the processor 32a is programmed to encrypt 
the NUMBER SIGNAL and generate a REPLY SIGNAL in addition to 
recording the postage printing transaction. The REPLY SIGNAL is trans- 
mitted from the accounting processor 32a through a transmitter 36a similar 
to the transmitter 36 heretofore described and the communications link 16a 
to the printing station 12a. 

At the printing station 12a a receiver 38a receives the REPLY 
SIGNAL and forwards same in parallel format to the controller 50a 
whereupon the controller compares the REPLY SIGNAL to the encryption 
result which was generated from the NUMBER SIGNAL. Upon verification 
of an equality between the two signals, the controller 50a actuates a 
printing mechanism 4^a to complete the transaction and dispense postage. 

Various modifications: of the present invention will be readily 
apparent to those skilled in the art. For example, alternate means may be 
provided for generating the . NUMBER SIGNAL which will provide, upon 
encryption, an unpredictable encryption signal. 

Further j number signal generation and transmission may be 
eliminated by the placement of congruent pseudorandum number generators 
at both the printing station and the accounting station., In such an instance 
the accounting station will transmit its pseudorandum number to the 
printing station where the comparison is made. The employment of 
pseudorandum number generators will require, however, nonvolatile mem- 
ories at both number generators in order to retain the seed numbers 
requisite for the sequential generation of numbers. 



0018081 



13 



With regard to the communication link, the NUMBER SIGNAL 
and REPLY SIGNAL may be parallel loaded directly across the link rather 
than serially transmitted whereupon the employment of transmitter- 
receiver UARTs will be unnecessary. 
5 Further, the initial printing of postage may take place immedi- 

ately, and the printer enabled to make a subsequent printing only after 
verification of the REPLY sIgNAL which is received at the printing station 
after accounting has taken place. 

Thus, it will be seen that the systems disclosed are well suited to 
) meet the conditions of practical use. 

It will be seen that the particular embodiments described and 
illustrated provide:- 

(a) a system for securing postage printing transactions of the 
general character described which permits an enhanced flexibility in mailing 
system design by eliminating the requirement for a physically secure link 
between a printing station and an accounting station; 

(b) a system for securing postage printing transactions of the 
character described which enables one to use removable accounting means; 

(c) a system which facilitates ready access to serviceable 
postage mailing system components without the necessity of disturbing 
securing devices; and 

(d) a system which prevents unauthorised actuation of a postage 
printing mechanism. 
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CLAIMS 

1. A system for securing postage printing transactions between 
a postage printing station having means for dispensing postage and an 
accounting station having processing means for registering the value of 
postage dispensed, the printing station and the accounting station being 
interconnected for data transmission through an insecure communications 
link, the system comprising means at one station for sequentially generating 
a number signal upon each printing transaction, the communications means 
transmitting the number signal from the one station to the other station, 
encryption means at each station, each encryption means receiving the 
number signal and in response thereto providing an encrypted signal, the 
means sequentially generating the number signal including means providing 
unpredictability in each sequentially encrypted signal pair, the printing 
station including comparison means, the communications link transmitting 
one of the encrypted signals to the comparison means, the comparison 
means comparing the one encrypted signal with the other encrypted signal 
and in response to the equality thereof enabling the postage dispensing 
means, whereby postage is imprinted only after the authenticity of an 
unpredictable encrypted signal has been verified at the printing station, 

2. A system in accordance with claim 1 wherein the one station 
comprises the printing station. 
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3. A system in accordance with claim 1 or 2, wherein the means 
for sequentially generating a number signal upon each printing transaction 
comprises either a random number generator or an ascending register. 

A system in accordance with claim 1, 2 or 3, wherein the 
number signal is transmitted serially from the one station to the other 
station, the system further including an interface interconnecting the means 
sequentially generating a number signal with the communications link and a 
further interface interconnecting the communications link with one of the 
encryption means. 

5. A system in accordance with claim U further including 
interface means serially transmitting the one encrypted signal, the printing 
station including an interface, the printing station interface receiving the 
serially -transmitted one encrypted signal and in response thereto grouping 
the one signal and providing a signal indicative of the completion of said 
grouping, the encryption means at the printing station receiving the 
completion signal and in response thereto providing a correlated grouping of 
encrypted signals, the comparator receiving the correlated grouping of 
encrypted signals and the grouping of the one signal and in response to the 
equality thereof enabling the postage dispensing means. 

6. A system in accordance with any preceding claim wherein the 
postage printing station further includes means generating a postage value 
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signal upon each printing transaction, the number signal including the 
postage value signal. 

7. A system in accordance with any preceding claim wherein the 
accounting station is separable from the printing station whereby the 
accounting station may be removed for resetting the processing means. 

8. A method of rendering secure postage printing transactions 
between a postage printing station having means for dispensing f>ostage and 
an accounting station having processing means for registering the value of 
postage printed, wherein the postage printing station and the accounting 
station are interconnected through an insecure communications link, said 
method comprismg the steps of 

(a) sequentially generating an unpredictable signal at the printing 
station upon each printing transaction, 

(b) sequentially generating a corresponding unpredictable signal 
at the accounting station upon each printing transaction, 

(c) transmitting the corresponding unpredictable signal from the 
accounting station to the printing station, 

(d) comparing the unpredictable signal generated at the printing 
station with the corresponding unpredictable signal trainsmitted to the 
printing station, and 

(e) authorising the printing of postage in rejsponse to the detec- 
tion of a coincidence between the two unpredictable signals. 
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9. A method in accordance with claim 8 wherein the unpredict- 
able signal is generated at each station by encrypting a sequentially 
generated number signal. 

10. A method in accordance with claim 8 or 9 wherein the 
number signal is sequentially generated at one of the stations and trans- 
mitt ed to the Other Station. 

11. A method in accordance with claim 10 wherein each 
sequential number signal is non-recurring. 

12. A method in accordance with claim 10 or 11 wherein the 
number signal is generated randomly or pseudorandomly. ' 
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